Analysis
-
max time kernel
1790s -
max time network
1792s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 15:27
Static task
static1
Behavioral task
behavioral1
Sample
0120_91448090.doc
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
0120_91448090.doc
-
Size
714KB
-
MD5
838c2a21783dfaa3bda9813f0e32cf89
-
SHA1
b4beab0f75d1462f3509b15319545c1f18c91449
-
SHA256
f068b16458493f485c6fa0e77281126c6672c76a4cfa0beb195cf180894e674f
-
SHA512
d1f3a3d923f54c2fdcce25933b9f7acf3efb538cdb732dd8a347ec27616ca5d977e4e03c4813a62042609cce6d3ae0933ca2872ebfd4f76eb2cd170c1dded116
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1772 2008 rundll32.exe WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2008 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WINWORD.EXEpid process 2008 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 2008 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2008 WINWORD.EXE 2008 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2008 wrote to memory of 1624 2008 WINWORD.EXE splwow64.exe PID 2008 wrote to memory of 1624 2008 WINWORD.EXE splwow64.exe PID 2008 wrote to memory of 1624 2008 WINWORD.EXE splwow64.exe PID 2008 wrote to memory of 1624 2008 WINWORD.EXE splwow64.exe PID 2008 wrote to memory of 1772 2008 WINWORD.EXE rundll32.exe PID 2008 wrote to memory of 1772 2008 WINWORD.EXE rundll32.exe PID 2008 wrote to memory of 1772 2008 WINWORD.EXE rundll32.exe PID 2008 wrote to memory of 1772 2008 WINWORD.EXE rundll32.exe PID 2008 wrote to memory of 1772 2008 WINWORD.EXE rundll32.exe PID 2008 wrote to memory of 1772 2008 WINWORD.EXE rundll32.exe PID 2008 wrote to memory of 1772 2008 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0120_91448090.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1624
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,UninstallFont2⤵
- Process spawned unexpected child process
PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1624-5-0x0000000000000000-mapping.dmp
-
memory/1624-6-0x000007FEFC371000-0x000007FEFC373000-memory.dmpFilesize
8KB
-
memory/1772-7-0x0000000000000000-mapping.dmp
-
memory/1772-8-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/2008-2-0x0000000072CD1000-0x0000000072CD4000-memory.dmpFilesize
12KB
-
memory/2008-3-0x0000000070751000-0x0000000070753000-memory.dmpFilesize
8KB
-
memory/2008-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2008-9-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB